7/29/2019 Chapter5 Security
1/91
Copyright 2002 Pearson Education, Inc. Slide 5-1 Copyright 2002 Pearson Education, Inc. Slide 5-2
CHAPTER 5
Created by, David Zolzer, Northwestern State UniversityLouisiana
Security and Encryption
Copyright 2002 Pearson Education, Inc. Slide 5-3
Learning Objectives
Understand the scope of e -commercecrime and security problems
Describe the key dimensions of e-
commerce security
Understand the tension between securityand other values
Identify the key security threats in the e -commerce environment
Copyright 2002 Pearson Education, Inc. Slide 5-4
Learning Objectives
Describe how various forms of encryptiontechnology help protect the security ofmessages sent over the Internet
Identify the tools used to establish secureInternet communications channels
Identify the tools used to protectnetworks, servers, and clients
Appreciate the importance of policies,procedures, and laws in creating security
Copyright 2002 Pearson Education, Inc. Slide 5-5
The E-commerce SecurityEnvironment
Recent survey of 538 securitypractitioners in U.S. corporations andgovernment agencies reported: 85% detected breaches of computer security
within the last 12 months
64% acknowledged financial loss as a result 35% quantified their financial loss to total $337
million in aggregate
Copyright 2002 Pearson Education, Inc. Slide 5-6
The E-commerce SecurityEnvironment
Most serious losses involved theft ofproprietary information or financial fraud
40% reported attacks from outside the
organization
38% experienced denial of service attacks
94% detected virus attacks
7/29/2019 Chapter5 Security
2/92
Copyright 2002 Pearson Education, Inc. Slide 5-7
Internet Fraud Complaints Reportedto the IFCCPage 232, Figure 5.1
Copyright 2002 Pearson Education, Inc. Slide 5-8
The E-commerce SecurityEnvironmentPage 234, Figure 5.2
Copyright 2002 Pearson Education, Inc. Slide 5-9
Dimensions ofE-commerce Security
Integrity refers to the ability to ensure thatinformation being displayed on a Web siteor transmitted or received over the
Internet, has not been altered in any way
by an unauthorized party Nonrepudiation refers to the ability to
ensure that e -commerce participants donot deny (I.e., repudiate) their onlineactions
Copyright 2002 Pearson Education, Inc. Slide 5-10
Dimensions ofE-commerce Security
Authenticity refers to the ability to identifythe identity of a person or entity withwhom you are dealing on the Internet
Confidentiality refers to the ability to
ensure that messages and data areavailable only to those who are authorized
to view them
Copyright 2002 Pearson Education, Inc. Slide 5-11
Dimensions ofE-commerce Security
Privacy refers to the ability to ensure theuse of information about oneself
Availability refers to the ability to ensure
that an e-commerce site continues tofunction as intended
Copyright 2002 Pearson Education, Inc. Slide 5-12
Dimensions ofE-commerce Security
Page 235, Table 5.1
7/29/2019 Chapter5 Security
3/93
Copyright 2002 Pearson Education, Inc. Slide 5-13
The Tension Between Security andOther Values
Ease of use The more security measures that are added to
an e-commerce site, the more difficult it is touse and the slower the site becomes,hampering ease of use. Security is purchasedat the price of slowing down processors andadding significantly to data storage demands.Too much security can harm profitability, whilenot enough can potentially put a business outof business.
Copyright 2002 Pearson Education, Inc. Slide 5-14
The Tension Between Security andOther Values
Public Safety and the Criminal Uses ofSecurity
There is tension between the claims ofindividuals to act anonymously and the needsof the public officials to maintain public safetythat can be threatened by criminals orterrorists .
Copyright 2002 Pearson Education, Inc. Slide 5-15
Security Threats in theE-commerce Environment
Three key points of vulnerability
the client
the server
communications pipeline
Copyright 2002 Pearson Education, Inc. Slide 5-16
A Typical E-commerceTransactionPage 238, Figure 5.3
Copyright 2002 Pearson Education, Inc. Slide 5-17
Vulnerable Points in anE-commerce EnvironmentPage 239, Figure 5.4
Copyright 2002 Pearson Education, Inc. Slide 5-18
Seven Security Threats to E-commerce Sites
Malicious code
includes a variety of threats such as viruses,worms, Trojan horses, and bad applets
virus is a computer program that has theability to replicate or make copies of itself, andspread to other files
worm is designed to spread from computer tocomputer
Trojan horse appears to be benign, but thendoes something other than expected
7/29/2019 Chapter5 Security
4/94
Copyright 2002 Pearson Education, Inc. Slide 5-19
Examples of MaliciousCodePage 241
Table 5.2
Copyright 2002 Pearson Education, Inc. Slide 5-20
Seven Security Threats to E-commerce Sites
Hacking and cybervandalism hacker is an individual who intends to gain
unauthorized access to a computer system
cracker is the term typically used within thehacking community to demote a hacker withcriminal intent
cybervandalism is intentionally disrupting,defacing, or even destroying a site
Copyright 2002 Pearson Education, Inc. Slide 5-21
Seven Security Threats to E-commerce Sites
Hacking and cybervandalism white hats are good hackers that help
organizations locate and fix security flaws
black hats are hackers who act with theintention of causing harm
grey hats are hackers who believe they arepursuing some greater good by breaking inand revealing system flaws
Copyright 2002 Pearson Education, Inc. Slide 5-22
Seven Security Threats to E-commerce Sites
Credit card fraud
Different from traditional commerce
Hackers target files on merchant server
Spoofing
Misrepresenting oneself by using fake emailaddresses or masquerading as someone else
Copyright 2002 Pearson Education, Inc. Slide 5-23
Seven Security Threats to E-commerce Sites
Denial of Service Attacks
Flooding a Web site with useless traffic toinundate and overwhelm the network
Distributed Denial of Service attack usesnumerous computers to attack the targetnetwork from numerous launch points
Copyright 2002 Pearson Education, Inc. Slide 5-24
Seven Security Threats to E-commerce Sites
Sniffing
A type of eavesdropping program thatmonitors information traveling over a network
Insider Jobs
Employees with access to sensitiveinformation
Sloppy internal security procedures
Able to roam throughout an organization ssystem without leaving a trace
7/29/2019 Chapter5 Security
5/95
Copyright 2002 Pearson Education, Inc. Slide 5-25
Tools Available to Achieve SiteSecurityPage 247, Figure 5.5
Copyright 2002 Pearson Education, Inc. Slide 5-26
Encryption
The process of transforming plain text ordata into cipher text that cannot be readby anyone outside of the sender and the
receiver. The purpose of encryption is (a)to secure stored information and (b) to
secure information transmission.
Cipher text is text that has been encryptedand thus cannot be read by anyonebesides the sender and the receiver
Copyright 2002 Pearson Education, Inc. Slide 5-27
Encryption
Key or cipher is any method fortransforming plain text to cipher text
Substitution cipher is where every
occurrence of a given letter is
systematically replaced by another letter Transposition cipher changes the ordering
of the letters in each word in some
systematic way
Copyright 2002 Pearson Education, Inc. Slide 5-28
Encryption
Symmetric key encryption (secret keyencryption) the sender and the receiveruse the same key to encrypt and decrypt
the message
Data Encryption Standard (DES) is themost widely used symmetric key
encryption, developed by the NationalSecurity Agency (NSA) and IBM. Uses a56-bit encryption key
Copyright 2002 Pearson Education, Inc. Slide 5-29
Encryption
Public key cryptography uses two mathematicallyrelated digital keys are used: a public key and aprivate key.
The private key is kept secret by the owner, andthe public key is widely disseminated.
Both keys can be used to encrypt and decrypt amessage.
However, once the keys are used to encrypt amessage, the same key cannot be used tounencrypt the message
Copyright 2002 Pearson Education, Inc. Slide 5-30
Public Key Cryptography -A Simple CasePage 251, Figure 5.6
7/29/2019 Chapter5 Security
6/96
Copyright 2002 Pearson Education, Inc. Slide 5-31
Public Key Cryptography withDigital SignaturesPage 252, Figure 5.7
Copyright 2002 Pearson Education, Inc. Slide 5-32
Encryption
Digital signature is a signed cipher textthat can be sent over the Internet
Hash function uses an algorithm that
produces a fixed-length number called ahash or message digest
Digital envelop is a technique that usessymmetric encryption for large
documents, but public key encryption toencrypt and send the symmetric key
Copyright 2002 Pearson Education, Inc. Slide 5-33
Public Key Cryptography: Creatinga Digital EnvelopePage 254, Figure 5.8
Copyright 2002 Pearson Education, Inc. Slide 5-34
Digital Certificates and Public KeyInfrastructurePage 255, Figure 5.9
Copyright 2002 Pearson Education, Inc. Slide 5-35
Encryption
Digital certificate is a digital documentissued by a certification authority thatcontains the name of the subject orcompany, the subject s public key, adigital certificate serial number, anexpiration date, the digital signature of thecertification authority, and otheridentifying information
Certification Authority (CS) is a trustedthird party that issues digital certificates
Copyright 2002 Pearson Education, Inc. Slide 5-36
Encryption
Public Key Infrastructure (PKI) arecertification authorities and digitalcertificate procedures that are accepted
by all parties
Pretty Good Privacy (PGP) is a widelyused email public key encryption software
program
7/29/2019 Chapter5 Security
7/97
Copyright 2002 Pearson Education, Inc. Slide 5-37
Securing Channels ofCommunications
Secure Sockets Layer (SSL) is the mostcommon form of securing channels
Secure negotiated session is a client-server session in which the URL of therequested document, along with thecontents, the contents of forms, and thecookies exchanged, are encrypted.
Session key is a unique symmetricencryption key chosen for a single securesession
Copyright 2002 Pearson Education, Inc. Slide 5-38
Secure Negotiated Sessions UsingSSLPage 259, Figure 5.10
Copyright 2002 Pearson Education, Inc. Slide 5-39
Securing Channels ofCommunications
Secure Hypertext Transfer Protocol (S-HTTP) is asecure message -oriented communicationsprotocol designed for use in conjunction withHTTP. Cannot be used to secure non-HTTPmessages
Virtual Private Networks (VPN) allow remoteusers to securely access internal networks viathe Internet, using Point-to-Point TunnelingProtocol (PPTP)
PPTP is an encoding mechanism that allows onelocal network to connect to another using theInternet as a conduit
Copyright 2002 Pearson Education, Inc. Slide 5-40
Protecting Networks
Firewalls are software applications thatact as a filter between a company s privatenetwork and the Internet itself
Proxy server is a software server that
handles all communications originatingfrom or being sent to the Internet, acting
as a spokesperson or bodyguard for theorganization
Copyright 2002 Pearson Education, Inc. Slide 5-41
Firewalls and Proxy ServersPage 262, Figure 5.11
Copyright 2002 Pearson Education, Inc. Slide 5-42
Protecting Servers and Clients
Operating system controls allow for theauthentication of the user and accesscontrols to files, directories, and network
paths
Anti-virus software is the easiest and leastexpensive way to prevent threats to
system integrity
7/29/2019 Chapter5 Security
8/98
Copyright 2002 Pearson Education, Inc. Slide 5-43
Policies, Procedures, and Laws
Developing an e-commerce security plan
perform a risk assessment
develop a security policy
develop an implementation plan
create a security organization
perform a security audit
Copyright 2002 Pearson Education, Inc. Slide 5-44
Developing anE-commerce Security PlanPage 264, Figure 5.12
Copyright 2002 Pearson Education, Inc. Slide 5-45
A Security Plan: ManagementPolicies
Risk assessment is the assessment ofrisks and points of vulnerability
Security policy is a set of statementsprioritizing the information risks,identifying acceptable risk targets, andidentifying the mechanisms for achievingthese targets
Implementation plan is the action stepsyou will take to achieve the security plangoals
Copyright 2002 Pearson Education, Inc. Slide 5-46
A Security Plan: ManagementPolicies
Security organization educations andtrains users, keeps management aware ofsecurity threats and breakdowns, andmaintains the tools chosen to implementsecurity
Access controls determine who can gainlegitimate access to a network
Authentication procedures include the useof digital signatures, certificates ofauthority, and public key infrastructure
Copyright 2002 Pearson Education, Inc. Slide 5-47
A Security Plan: ManagementPolicies
Biometrics is the study of measurablebiological or physical characteristics thatcan be used for access controls
Authorization policies determine differinglevels of access to information assets fordiffering levels of users
Authorization management systemestablishes where and when a user ispermitted to access certain parts of a Website
Copyright 2002 Pearson Education, Inc. Slide 5-48
A Security Plan: ManagementPolicies
Security audit involves the routine reviewof access logs identifying how outsidersare using the site as well as how insidersare accessing the site s assets
Tiger team is a group whose sole jobactivity is attempting to break into a site
CERT Coordination Center monitors andtracks criminal activity reported to it byprivate corporations and governmentagencies that seek out its help
7/29/2019 Chapter5 Security
9/9
Copyright 2002 Pearson Education, Inc. Slide 5-49
Role of of Laws andPublic Policy
National Infrastructure Protection Centeris a unit within the FBI whose sole missionis to identify and combat threats against
the United States technology andtelecommunications infrastructure
DCS100 (Carnivore) an email sniffing
software program developed by the FBIthat can copy and filter all data sent from auser s computer to a local ISP
Copyright 2002 Pearson Education, Inc. Slide 5-50
E-commerce Security LegislationPage 268, Table 5.3
Copyright 2002 Pearson Education, Inc. Slide 5-51
Government Efforts to Regulateand Control EncryptionPage 269, Table 5.4